You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rupesh P <pr...@gmail.com> on 2022/05/17 09:07:07 UTC

FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

Good Evening,
I have a issue while enabling the FIPS mode in Tomcat9 for windows where it
throws me an error "Failed to enter fips mode". Below are the detail
explanation and content. Sorry for the length but I am trying to provide
all of the relevant details in hopes that the solution to this issue will
be easily identifiable.

*Method 1:*

Software Specifications:
Tomcat version - 9.0.34
Openssl version - 3.0.2
OS - Windows Server 2019 64-bit

I have installed the openssl version (3.0.2) along with the FIPS Module
installation as per the steps mentioned in the wiki (
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
).

The openssl 3.0.2 and fips module got installed successfully.
[image: openssl version.PNG]


Post installation of Openssl,  I tried enabling the FIPS mode in tomcat9,
For that I have performed:


   1. Added the FIPSMODE="on" for APR listener in the server.xml of Tomcat9.
   2. Restarted the Tomcat server.
   3. But FIPS Mode was not enabled.

[image: Fipsmode server xml.PNG]

[image: fips error1.PNG]

*Method 2:*

 I researched on the web and found a few links and references for enabling
the FIPS mode in tomcat, but that is for the older version of openssl(i.e
1.0.2l), where they are also downloading the OpenSSL FIPS Object Module
2.0.16 as external package and building it with tcnative library.

The steps are:

Building the OpenSSL
Building APR
Building Tomcat native library.
Adding the FIPSMode="on" for the APR listener.
The link of the reference:
https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/

I followed the same steps and tried building the tomcat native library
except omitting the FIPS Object module build setup, since in our case FIPS
FOM is integrated with openssl 3.0 .

The versions of the modules i used:

OPENSSL 3.0.2
APR version 1.7.0
Tomcat Native library 1.2.32
I have successfully built the tomcat native library and tried putting it in
the bin folder and restarted the tomcat service. But there i get an another
error message stating "FIPS was not available to tcnative at build time".
[image: fips error.PNG]

There was a switch or parameter which is being passed to build tcnative
along with FIPS, When i tried building the tcnative with that parameter, i
get an error.
[image: native error.PNG]

The command that i used for building tcnative is:
nmake -f NMAKEMakefile BUILD_CPU=x64
WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0"
WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2"
APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1

Without the WITH_FIPS=1 parameter the tcnative is getting built
successfully.

So these are the findings i have made. Is there any way to overcome this
issue?
Please do let me know if there are any other option or ways to resolve this
error(To enable FIPS mode in Tomcat9).


Thanks,

Rupesh P.

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

Posted by Mark Thomas <ma...@apache.org>.
On 01/06/2022 17:00, Christopher Schultz wrote:
> Mark,
> 
> On 6/1/22 09:49, Mark Thomas wrote:
>> On 20/05/2022 12:43, Mark Thomas wrote:
>>
>> <snip/>
>>
>>> Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code 
>>> changes in Tomcat Native are going to be required to get this to work.
>>
>> After doing some work on this I have an update.
>>
>> First of all, OpenSSL 3 has not yet obtained FIPS certification. You 
>> can use the FIPS provider but it is not (yet) certified.
>>
>> To use the OpenSSL 3 FIPS provider with Tomcat you need to do all of 
>> the following:
>> - build Tomcat Native 1.2.x with OpenSSL 3.x
>> - configure OpenSSL to use the FIPS provider by default
>>    https://www.openssl.org/docs/man3.0/man7/fips_module.html
> 
> If this is anything like OpenSSL 1.x, you will need to build OpenSSL 
> with FIPS enabled to begin with. It's not just a runtime setting. (I 
> don't claim to understand the fine details of FIPS, but IMHO it should 
> have been possible for OpenSSL to be built in a standard way with FIPS 
> operational mode being simply a runtime decision, but that isn't how 
> OpenSSL did things... at least not originally.)

FIPS in 3.x is very different. Details are in the OpenSSL man page I 
linked above.

>> - DO NOT configure the APRLifecycleListener to use FIPS
> 
> Oh, that's interesting :)
> 
> Is that because the provider itself is FIPS and therefore there's no 
> reason to have an API to specifically-enable it?

You can use it via API but it is possible to enable it entirely via 
configuration.

> Is it possible to 
> confirm from client code e.g. libtcnative that the module is indeed in 
> FIPS mode?

You can confirm that the FIPS provider is the default provider which 
should be good enough.

This is why I asked earlier whether we wanted to add a confirmation 
check to each TLS connection to check that the selected cipher was from 
the FIPS provider.

>> Although you won't see any confirmation in the logs, Tomcat Native 
>> will be using the OpenSSL FIPS provider.
>>
>> Updates are in progress so that:
>> - Tomcat will log a message on start when FIPS is the default provider
>> - setting the FIPSMode options when using OpenSSL 3 won't break things
>>
>> The above will require Tomcat Native 1.2.34 onwards.
> 
> I think we might want to make a note of all this in the documentation 
> for the APR lifecycle listener, including all the version information 
> you have above.

The updates I have locally include most of that either in the docs or 
the change log.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,

On 6/1/22 09:49, Mark Thomas wrote:
> On 20/05/2022 12:43, Mark Thomas wrote:
> 
> <snip/>
> 
>> Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code 
>> changes in Tomcat Native are going to be required to get this to work.
> 
> After doing some work on this I have an update.
> 
> First of all, OpenSSL 3 has not yet obtained FIPS certification. You can 
> use the FIPS provider but it is not (yet) certified.
> 
> To use the OpenSSL 3 FIPS provider with Tomcat you need to do all of the 
> following:
> - build Tomcat Native 1.2.x with OpenSSL 3.x
> - configure OpenSSL to use the FIPS provider by default
>    https://www.openssl.org/docs/man3.0/man7/fips_module.html

If this is anything like OpenSSL 1.x, you will need to build OpenSSL 
with FIPS enabled to begin with. It's not just a runtime setting. (I 
don't claim to understand the fine details of FIPS, but IMHO it should 
have been possible for OpenSSL to be built in a standard way with FIPS 
operational mode being simply a runtime decision, but that isn't how 
OpenSSL did things... at least not originally.)

> - DO NOT configure the APRLifecycleListener to use FIPS

Oh, that's interesting :)

Is that because the provider itself is FIPS and therefore there's no 
reason to have an API to specifically-enable it? Is it possible to 
confirm from client code e.g. libtcnative that the module is indeed in 
FIPS mode?

> Although you won't see any confirmation in the logs, Tomcat Native will 
> be using the OpenSSL FIPS provider.
> 
> Updates are in progress so that:
> - Tomcat will log a message on start when FIPS is the default provider
> - setting the FIPSMode options when using OpenSSL 3 won't break things
> 
> The above will require Tomcat Native 1.2.34 onwards.

I think we might want to make a note of all this in the documentation 
for the APR lifecycle listener, including all the version information 
you have above.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

Posted by Mark Thomas <ma...@apache.org>.
On 20/05/2022 12:43, Mark Thomas wrote:

<snip/>

> Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code 
> changes in Tomcat Native are going to be required to get this to work.

After doing some work on this I have an update.

First of all, OpenSSL 3 has not yet obtained FIPS certification. You can 
use the FIPS provider but it is not (yet) certified.

To use the OpenSSL 3 FIPS provider with Tomcat you need to do all of the 
following:
- build Tomcat Native 1.2.x with OpenSSL 3.x
- configure OpenSSL to use the FIPS provider by default
   https://www.openssl.org/docs/man3.0/man7/fips_module.html
- DO NOT configure the APRLifecycleListener to use FIPS

Although you won't see any confirmation in the logs, Tomcat Native will 
be using the OpenSSL FIPS provider.

Updates are in progress so that:
- Tomcat will log a message on start when FIPS is the default provider
- setting the FIPSMode options when using OpenSSL 3 won't break things

The above will require Tomcat Native 1.2.34 onwards.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

Posted by Mark Thomas <ma...@apache.org>.
On 18/05/2022 06:14, Rupesh P wrote:
> Hi Christopher Schultz,
> I am sorry for the inconvenience caused.
> 
> Actually i am not able to enable the FIPS Mode in Tomcat 9 for windows. It
> gives an error "Failed to enter fips mode".
> 
> Software Specifications:
>> Tomcat version - 9.0.34
>> Openssl version - 3.0.2
>> OS - Windows Server 2019 64-bit
> 
> I tried building the Tomcat Native native library with APR(1.7.0) ,
> Openssl(3.0.2) and Tomcat Native library (1.2.32).
> 
> The openssl 3.0.2 along with the FIPS got built successfully.
> 
> Since FIPS Object Module Package is already integrated with the openssl
> 3.0, There is no separate package for it. So I have built the Tomcat Native
> library and it got built successfully. But when i tried to put the
> 1. *tcnative-1.dll* in the *Bin folder of Tomcat 9\*
> *2. Adding the FIPSMODE="on" for the APR listener*
> *3. Added the **HTTPS connector to use Native (OpenSSL) implementation of
> SSL/TLS protocol.*
> *4. Restarted the Tomcat and checked the catalina.log*
> 
> *The Fips mode is not getting enabled, shows the log error "*Failed to
> enter fips mode*" and along with that it also states "** FIPS was not
> available to tcnative at build time".*
> 
> *T*he same steps i have performed for the Openssl version 1.0.2 along with
> the FIPS Object Module Package, There Tomcat was able to initialize FIPS
> mode and Tomcat started with the FIPS mode.
> 
> Is there any way to overcome this issue?
> Please do let me know any solution for this issue.

Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code 
changes in Tomcat Native are going to be required to get this to work.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

Posted by Rupesh P <pr...@gmail.com>.
Hi Christopher Schultz,
I am sorry for the inconvenience caused.

Actually i am not able to enable the FIPS Mode in Tomcat 9 for windows. It
gives an error "Failed to enter fips mode".

Software Specifications:
> Tomcat version - 9.0.34
> Openssl version - 3.0.2
> OS - Windows Server 2019 64-bit

I tried building the Tomcat Native native library with APR(1.7.0) ,
Openssl(3.0.2) and Tomcat Native library (1.2.32).

The openssl 3.0.2 along with the FIPS got built successfully.

Since FIPS Object Module Package is already integrated with the openssl
3.0, There is no separate package for it. So I have built the Tomcat Native
library and it got built successfully. But when i tried to put the
1. *tcnative-1.dll* in the *Bin folder of Tomcat 9\*
*2. Adding the FIPSMODE="on" for the APR listener*
*3. Added the **HTTPS connector to use Native (OpenSSL) implementation of
SSL/TLS protocol.*
*4. Restarted the Tomcat and checked the catalina.log*

*The Fips mode is not getting enabled, shows the log error "*Failed to
enter fips mode*" and along with that it also states "** FIPS was not
available to tcnative at build time".*

*T*he same steps i have performed for the Openssl version 1.0.2 along with
the FIPS Object Module Package, There Tomcat was able to initialize FIPS
mode and Tomcat started with the FIPS mode.

Is there any way to overcome this issue?
Please do let me know any solution for this issue.

Thanks,
Rupesh.



On Tue, May 17, 2022 at 10:02 PM Christopher Schultz <
chris@christopherschultz.net> wrote:

> Rupesh,
>
> Sorry for top-posting, but all of your screenshots were stripped-out of
> your original post. Can you please provide text-only information for the
> mailing list?
>
> Thanks,
> -chris
>
> On 5/17/22 05:07, Rupesh P wrote:
> > Good Evening,
> > I have a issue while enabling the FIPS mode in Tomcat9 for windows where
> > it throws me an error "Failed to enter fips mode". Below are the detail
> > explanation and content. Sorry for the length but I am trying to provide
> > all of the relevant details in hopes that the solution to this issue
> > will be easily identifiable.
> >
> > *Method 1:*
> >
> > Software Specifications:
> > Tomcat version - 9.0.34
> > Openssl version - 3.0.2
> > OS - Windows Server 2019 64-bit
> >
> > I have installed the openssl version (3.0.2) along with the FIPS Module
> > installation as per the steps mentioned in the wiki
> > (
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> > <
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> >).
> >
> > The openssl 3.0.2 and fips module got installed successfully.
> >
> > openssl version.PNG
> >
> >
> > Post installation of Openssl,  I tried enabling the FIPS mode in
> > tomcat9, For that I have performed:
> >
> >  1. Added the FIPSMODE="on" for APR listener in the server.xml of
> Tomcat9.
> >  2. Restarted the Tomcat server.
> >  3. But FIPS Mode was not enabled.
> >
> > Fipsmode server xml.PNG
> >
> > fips error1.PNG
> >
> > *Method 2:*
> > *
> > *
> >   I researched on the web and found a few links and references for
> > enabling the FIPS mode in tomcat, but that is for the older version of
> > openssl(i.e 1.0.2l), where they are also downloading the OpenSSL FIPS
> > Object Module 2.0.16 as external package and building it with tcnative
> > library.
> >
> > The steps are:
> >
> > Building the OpenSSL
> > Building APR
> > Building Tomcat native library.
> > Adding the FIPSMode="on" for the APR listener.
> > The link of the reference:
> >
> https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/
> > <
> https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/
> >
> >
> > I followed the same steps and tried building the tomcat native library
> > except omitting the FIPS Object module build setup, since in our case
> > FIPS FOM is integrated with openssl 3.0 .
> >
> > The versions of the modules i used:
> >
> > OPENSSL 3.0.2
> > APR version 1.7.0
> > Tomcat Native library 1.2.32
> > I have successfully built the tomcat native library and tried putting it
> > in the bin folder and restarted the tomcat service. But there i get an
> > another error message stating "FIPS was not available to tcnative at
> > build time".*
> > *
> > fips error.PNG
> >
> > There was a switch or parameter which is being passed to build tcnative
> > along with FIPS, When i tried building the tcnative with that parameter,
> > i get an error.
> > native error.PNG
> >
> > The command that i used for building tcnative is:
> > nmake -f NMAKEMakefile BUILD_CPU=x64
> >
> WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0"
>
> >
> WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2"
>
> > APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1
> >
> > Without the WITH_FIPS=1 parameter the tcnative is getting built
> > successfully.
> >
> > So these are the findings i have made. Is there any way to overcome this
> > issue?
> > Please do let me know if there are any other option or ways to resolve
> > this error(To enable FIPS mode in Tomcat9).
> >
> >
> > Thanks,
> >
> > Rupesh P.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

Posted by Christopher Schultz <ch...@christopherschultz.net>.
Rupesh,

Sorry for top-posting, but all of your screenshots were stripped-out of 
your original post. Can you please provide text-only information for the 
mailing list?

Thanks,
-chris

On 5/17/22 05:07, Rupesh P wrote:
> Good Evening,
> I have a issue while enabling the FIPS mode in Tomcat9 for windows where 
> it throws me an error "Failed to enter fips mode". Below are the detail 
> explanation and content. Sorry for the length but I am trying to provide 
> all of the relevant details in hopes that the solution to this issue 
> will be easily identifiable.
> 
> *Method 1:*
> 
> Software Specifications:
> Tomcat version - 9.0.34
> Openssl version - 3.0.2
> OS - Windows Server 2019 64-bit
> 
> I have installed the openssl version (3.0.2) along with the FIPS Module 
> installation as per the steps mentioned in the wiki 
> (https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0 
> <https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0>).
> 
> The openssl 3.0.2 and fips module got installed successfully.
> 
> openssl version.PNG
> 
> 
> Post installation of Openssl,  I tried enabling the FIPS mode in 
> tomcat9, For that I have performed:
> 
>  1. Added the FIPSMODE="on" for APR listener in the server.xml of Tomcat9.
>  2. Restarted the Tomcat server.
>  3. But FIPS Mode was not enabled.
> 
> Fipsmode server xml.PNG
> 
> fips error1.PNG
> 
> *Method 2:*
> *
> *
>   I researched on the web and found a few links and references for 
> enabling the FIPS mode in tomcat, but that is for the older version of 
> openssl(i.e 1.0.2l), where they are also downloading the OpenSSL FIPS 
> Object Module 2.0.16 as external package and building it with tcnative 
> library.
> 
> The steps are:
> 
> Building the OpenSSL
> Building APR
> Building Tomcat native library.
> Adding the FIPSMode="on" for the APR listener.
> The link of the reference: 
> https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/ 
> <https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/>
> 
> I followed the same steps and tried building the tomcat native library 
> except omitting the FIPS Object module build setup, since in our case 
> FIPS FOM is integrated with openssl 3.0 .
> 
> The versions of the modules i used:
> 
> OPENSSL 3.0.2
> APR version 1.7.0
> Tomcat Native library 1.2.32
> I have successfully built the tomcat native library and tried putting it 
> in the bin folder and restarted the tomcat service. But there i get an 
> another error message stating "FIPS was not available to tcnative at 
> build time".*
> *
> fips error.PNG
> 
> There was a switch or parameter which is being passed to build tcnative 
> along with FIPS, When i tried building the tcnative with that parameter, 
> i get an error.
> native error.PNG
> 
> The command that i used for building tcnative is:
> nmake -f NMAKEMakefile BUILD_CPU=x64 
> WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0" 
> WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2" 
> APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1
> 
> Without the WITH_FIPS=1 parameter the tcnative is getting built 
> successfully.
> 
> So these are the findings i have made. Is there any way to overcome this 
> issue?
> Please do let me know if there are any other option or ways to resolve 
> this error(To enable FIPS mode in Tomcat9).
> 
> 
> Thanks,
> 
> Rupesh P.
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org